If the system recognizes case as significant, using capital and lower-case letters

Avoiding using the same password for multiple sites or purposes

Avoid using something that the public or workmates know you strongly like or dislike

Some guidelines advise against writing passwords down, while others, noting the large numbers of password protected systems users must access, encourage writing down passwords as long as the written password lists are kept in a safe place, such as a wallet or safe, not attached to a monitor or in an unlocked desk drawer.[23]

It has been noted that dictionary words can be used to create a very strong password, if several are strung together. The cartoonist Randall Munroe has suggested that this method might be easier to remember than passwords based on the traditional approach.[24]

The possible character set for a password can be constrained by different web sites or by the range of keyboards on which the password must be entered.[25]

As with any security measure, passwords vary in effectiveness (i.e., strength); some are weaker than others. For example, the difference in weakness between a dictionary word and a word with obfuscation (i.e., letters in the password are substituted by, say, numbers— a common approach) may cost a password cracking device a few more seconds– this adds little strength. The examples below illustrate various ways weak passwords might be constructed, all of which are based on simple patterns which result in extremely low entropy, allowing them to be tested automatically at high speeds:[7]

Default passwords (as supplied by the system vendor and meant to be changed at installation time): password, default, admin, guest, etc. Lists of default passwords are widely available on the internet.

There are many other ways a password can be weak,[27] corresponding to the strengths of various attack schemes; the core principle is that a password should have high entropy (usually taken to be equivalent to randomness) and not be readily derivable by any "clever" pattern, nor should passwords be mixed with information identifying the user. On-line services often provide a restore password function that a hacker can figure out and by doing so bypass a password. Choosing hard to guess restore password questions can further secure the password.[28]